Beruflich Dokumente
Kultur Dokumente
1. Simplified DES
2. Block cipher principles
3. DES algorithm
4. Strength of DES
5. Differential and linear cryptanalysis
6. Block cipher design principles
7. Block cipher modes of operation
1
SIMPLIFIED DES
2
SIMPLIFIED DES (CONT 1)
finally, a permutation function that is the inverse of the initial
permutation (IP-1). Decryption process is similar.
The function fK takes 8-bit key which is obtained from the 10-bit initial
one two times. The key is first subjected to a permutation P10. Then a
shift operation is performed. The output of the shift operation then passes
through a permutation function that produces an 8-bit output (P8) for the
first subkey (K1). The output of the shift operation also feeds into another
shift and another instance of P8 to produce the 2nd subkey K2.
We can express encryption algorithm as superposition:
IP −1 f K 2 SW f K1 IP
or
Ciphertext= IP-1 ( f K ( SW ( f K ( IP ( pla int ext )))))
2 1
Where
K1 = P8( Shift ( P10 ( key )))
3
S-DES KEY GENERATION
Scheme of key generation:
4
S-DES KEY GENERATION (CONT 1)
Each position in this table gives the identity of the input bit that produces
the output bit in this position. So, the 1st output bit is bit 3 (k3), the 2nd
is k5 and so on. For example, the key (1010000010) is permuted to
(1000001100).
Next, perform a circular shift (LS-1), or rotation, separately on the 1st 5
bits and the 2nd 5 bits. In our example, the result is (00001 11000)
Next, we apply P8, which picks out and permutes 8 out of 10 bits
according to the following rule:
P8
6 3 7 4 8 5 10 9
The result is subkey K1. In our example, this yields (10100100)
We then go back to the pair of 5-bit strings produced by the 2 LS-1
functions and perform a circular left shift of 2 bit positions on each
string. In our example, the value (00001 11000) becomes (00100 00011).
Finally, P8 is applied again to produce K2. In our example, the result is
(01000011)
5
S-DES ENCRYPTION
6
S-DES ENCRYPTION (CONT 1)
IP-1
41357286
It may be verified, that IP-1(IP(X)) = X.
The most complex component of S-DES is the function fK, which
consists of a combination of permutation and substitution functions. The
function can be expressed as follows. Let L and R be the leftmost 4 bits
and rightmost 4 bits of the 8-bit input to fK, and let F be a mapping (not
necessarily one to one) from 4-bit strings to 4-bit strings. Then we let
fK(L,R) = (L ⊕F(R,SK),R)
where SK is a subkey and ⊕ is the bit-by-bit XOR operation. For
example, suppose the output of the IP stage in Fig.3.3 is (1011 1101) and
F(1101,SK) = (1110) for some key SK. Then fK(1011 1101) = (0101
1101) because (1011) ⊕(1110) = (0101).
We now describe the mapping F. The input is a 4-bit number (n1 n2 n3
n4). The 1st operation is an expansion/permutation:
E/P
41232341
For what follows, it is clearer to depict result in this fashion:
n4|n1 n2|n3
n2|n3 n4|n1
The 8-bit subkey K1 = (k11, k12, k13, k14, k15, k16, k17, k18) is added
to this value using XOR:
n4+k11|n1+k12 n2+k13|n3+k14
n2+k15|n3+k16 n4+k17|n1+k18
Let us rename these bits:
p00|p01 p02|p03
p10|p11 p12|p13
st st
The 1 4 bits (1 row of the preceding matrix) are fed into the S-box S0
to produce a 2-bit output, and the remaining 4 bits (2nd row) are fed into
S1 to produce another 2-bit output. These 2 boxes are defined as follows:
0 12 3 0 12 3
7
1032 0 0123 0
3 210 1 2 0 1 3 1
S 0 = S1 =
0 21 3 2 30 1 0 2
3132 3 2103 3
8
S-DES ENCRYPTION (CONT 2)
The S-boxes operate as follows. The 1st and 4th input bits are treated as a
2-bit number that specify a row of the S-box, and the 2nd and 3rd input bits
specify a column of the S-box. The entry in that row and column, in base
2, is the 2-bit output. For example, if (p00, p03) = (00) and (p01, p02) =
(10), then the output is from row 0, column 2 of S0, which is 3, or (11) in
binary. Similarly, (p10, p13) and (p11, p12) are used to index into a row
and column of S1 to produce an additional 2 bits.
Next, the 4 bits produced by S0 and S1 undergo a further permutation as
follows:
P4
2431
The output of P4 is the output of function F.
The function fK only alters the leftmost 4 bits of input.
The switch function SW interchanges the left and right bits so that the 2nd
instance of fK operates on a different 4 bits. In the 2nd instance, the E/P,
S0, S1, and P4 functions are the same. The key input is K2.
ANALYSIS OF SIMPLIFIED DES
A brute-force attack on S-DES is feasible since with a 10-bit key there
are only 1024 possibilities.
What about cryptanalysis? If we know plaintext (p1p2p3p4p5p6p7p8)
and respective ciphertext (c1c2c3c4c5c6c7c8), and key
(k1k2k3k4k5k6k7k8k9k10) is unknown, then we can express this
problem as a system of 8 nonlinear equations with 10 unknowns. The
nonlinearity comes from the S-boxes. It is useful to write down equations
for these boxes. For clarity, rename (p00,p01,p02,p03)=(a,b,c,d) and
(p10,p11,p12,p13)=(w,x,y,z). Then the operation of S0 is defined in the
following equations:
q=abcd+ab+ac+b+d
r=abcd+abd+ab+ac+ad+a+c+1
where all additions are made modulo 2. Similar equations define S1.
Let us show it.
9
ANALYSIS OF SIMPLIFIED DES (CONT 1)
Truth table for S0:
q r a d b c
0 0 1 0 0 0 0
1 0 0 0 0 0 1
2 1 1 0 0 1 0
3 1 0 0 0 1 1
4 1 1 0 1 0 0
5 1 0 0 1 0 1
6 0 1 0 1 1 0
7 0 0 0 1 1 1
8 0 0 1 0 0 0
9 1 0 1 0 0 1
1 0 1 1 0 1 0
0
1 1 1 1 0 1 1
1
1 1 1 1 1 0 0
2
1 0 1 1 1 0 1
3
1 1 1 1 1 1 0
4
1 1 0 1 1 1 1
5
q =
(a ∨
d ∨
b ∨( a ∨
c) d ∨
b ∨ ( a ∨
c )
(a ∨
d ∨
b ∨ ( a ∨
c ) d ∨
b ∨( a ∨
c) d
=
(a ∨
d ∨( a ∨
b) d ∨ ( a ∨
b ) d ∨
c)
(
(a ∨
db ∨
bd )
( a ∨
b
d ∨
dc ∨
cd ∨
b
c
a
b
d ∨
ab d ∨
a bd ∨
a
b
c ∨
ac d ∨
a
c d
(a
b
d +
(1 +( 1 +
a) b) d ) ∨
(1 +
a )b (1 +
∨
(b
c (1 +
d ) +
(1 +( 1 +
b) c)d ) =
(d +
(a
d +
a
c ) ∨
(b
c +
d +
b
d +
c
d ) =
(d +
(a
b
d +
a
c
d +
a
c +
b
c +
d +
b
d +
c
d +
10
IP −1 f K16 SW f K15 SW ...SW f K1 SW IP
11
MOTIVATION FOR THE FEISTEL CIPHER
STRUCTURE
Encryption should be reversible. Fig. 3.4 shows the logic of a general
substitution cipher for n=4 (block size).
12
MOTIVATION FOR THE FEISTEL CIPHER
STRUCTURE (CONT 1)
13
THE FEISTEL CIPHER (CONT 1)
proposal by Claude Shannon of 1945 (http://www-gap.dcs.st-
and.ac.uk/~history/Mathematicians/Shannon.html ) to develop a product
cipher that alternates confusion and diffusion functions
DIFFUSION AND CONFUSION
These are measures to thwart cryptanalysis based on statistical analysis.
In diffusion, the statistical structure of the plaintext is dissipated into long
range statistics of the ciphertext. This is achieved by having each
plaintext letter affect the value of many ciphertext digits, which is
equivalent to saying that each ciphertext digit is affected by many
plaintext digits. An example of diffusion is to encrypt a message
M=m1,m2,m3,.. of characters with an averaging operation:
k
y n = ∑ mn+i (mod 26 )
i =1
14
FEISTEL CIPHER STRUCTURE
15
FEISTEL CIPHER STRUCTURE (CONT 1)
All rounds have the same structure. A substitution is performed on the
left half of the data. This is done by applying a round function F to the
right half of the data and then taking exclusive –OR of the output of that
function and the left half of the data. The round function has the same
general structure for each round but is parameterized by the round subkey
K i . Following this substitution, a permutation is performed that consists
of the interchange of the two halves of the data. This structure is a
particular form of the substitution-permutation network (SPN) proposed
by Shannon.
The exact realization of a Feistel network depends on the choice of the
following parameters and design features:
Lock size: large size means greater security but greater overhead (64,
128 bits)
Key size: large size means greater security but greater overhead (64, 128
bits)
Number of rounds: multiple rounds increase security (16 rounds)
Subkey generation algorithm: greater complexity – more secure
Round function: greater complexity – more secure
Additionally:
Fast software encryption/decryption: speed of execution becomes a
concern
Ease of analysis: it should be difficult to cryptanalyze, but easy to
analyze for cryptanalytic vulnerabilities.
We can see that SDES exhibits a Feistel structure with 2 rounds. The one
difference from a “pure” Feistel structure is that the algorithm begins and
ends with a permutation function. This difference also appears in full
DES.
FEISTEL DECRYPTION ALGORITHM
The process of decryption with a Feistel cipher is essentially the same as
the encryption process. The rule is as follows: Use the ciphertext as input
to the algorithm, but the subkeys K i in the reverse order. That is, use K n
in the 1st round, and so on, K1 in the last round. This is a nice feature,
because we can use just one algorithm both for encryption and
decryption.
16
FEISTEL DECRYPTION ALGORITHM (CONT 1)
Consider encryption/decryption processes:
Let, REi – data travelling through encryption, LDi, RDi – data travelling
through decryption. Output of ith encryption round is LEi||REi
(concatenation). To simplify the diagram, it is untwisted, not showing the
17
swap that occurs at the end of each interaction. But intermediate result at
the end of ith stage of the encryption process is the 2w-bit LEi||REi, and
FEISTEL DECRYPTION ALGORITHM (CONT 2)
the intermediate result at the end of the ith stage of decryption is LDi||
RDi. Then the corresponding input to (16-i)th decryption round is LEi||
REi, or, equivalently, RD16-i ||LD16-i. Let’s prove that.
After the last iteration, the two halves are swapped, so that the ciphertext
is RE16||LE16. Now take the ciphertext and use it as input to the same
algorithm. The input to the 1st round is RE16||LE16, which is equal to the
32-bit swap of the output of the 16th round of the encryption process.
Now we show that the output of the 1st round of the decryption process is
equal to a 32-bit swap of the output of the 15th round of the encryption
process. First, consider encryption process,
LE16=RE15
RE16=LE15+F(RE15,K16)
On the decryption side,
LD1=RD0=LE16=RE15
RD1=LD0+F(RD0,K16)=RE16+F(RE15,K16)=
[LE15+F(RE15,K16)]+F(RE15,K16)=LE15
Thus, we have
LD1=RE15
RD1=LE15,
So, we got that output of the 1st stage of decryption process is equal to
32-bit swap of the 15th round of the encryption process: LD1||
RD1=RE15||LE15, and continuing these considerations, we come to
LDi||RDi=RE(16-i)||LE(16-i).
Also, we can write
LEi=RE(i-1)
REi=LE(i-1)+F(RE(i-1),Ki)
or
RE(i-1)=LEi
LE(i-1)=REi+F(RE(i-1),Ki)= REi+F(LEi,Ki)
and these equations confirm the assignments shown in the right-hand side
of Figure 3.6.
Output of the last round of the decryption process is
LD16||RD16=RE0||LE0
A 32-bit swap recovers the original plaintext. Note that the derivation
does not require that F be a reversible function (for example, it may be a
constant value 1).
18
S-DES Encryption and Decryption
Wokey, here it is in pictorial form. Sorry it’s handwritten. This is the detailed version, to
get the bigger flowchart refer to my notes
We start by key generation, to generate the two 8-bit subkeys (K1 and K2):
19
Then the next loop:
20
We ended with 0001 0101 as ciphertext, we should be able to decrypt it back to 0100
0001. Remember, during decryption we use K2 first then K1.
21
22
Second loop of decryption process:
23
24